# {{output.header}}
# {{{output.link}}}
TLSEngine                     on
TLSRequired                   on

TLSCertificateChainFile       /path/to/certificate_chain

# ECDSA certificate
TLSECCertificateFile          /path/to/signed_cert
TLSECCertificateKeyFile       /path/to/private_key

# RSA certificate, if using RSA certificates instead
# TLSRSACertificateFile         /path/to/signed_cert
# TLSRSACertificateKeyFile      /path/to/private_key
{{#if output.usesDhe}}

# {{output.dhCommand}} >> /path/to/dhparam
TLSDHParamFile                /path/to/dhparam
{{/if}}

# {{form.config}} configuration, tweak to your needs
TLSProtocol                  {{#each output.protocols}} {{this}}{{/each}}
{{#if output.ciphers.length}}
TLSCipherSuite                {{{join output.ciphers ":"}}}
{{/if}}
{{#if (minver "1.3.6" form.serverVersion)}}
TLSServerCipherPreference     {{#if output.serverPreferredOrder}}on{{else}}off{{/if}}
{{/if}}
{{#if (minver "1.0.2l" form.opensslVersion)}}
  {{#if (minver "1.3.6" form.serverVersion)}}
TLSessionTickets              off
  {{/if}}
{{/if}}
{{#if form.ocsp}}
  {{#if (minver "1.3.6" form.serverVersion)}}

# requires mod_tls_shmcache
TLSStapling                   on
TLSStaplingCache              "shmcb:logs/ssl_stapling(32768)"
  {{/if}}
{{/if}}